Why Compliance (Still) Matters

John F. Savarese is a partner at Wachtell, Lipton, Rosen & Katz. This post is based on a Wachtell Lipton memorandum by Mr. Savarese,  Ralph M. Levene, David B. Anders, and Marshall Miller.

We and many other observers have noted the significant drop over the past two years in both the number of white-collar prosecutions and the scale of corporate fines and penalties. In such an environment, companies might be tempted to think that having an effective compliance program is less urgent and less important than in the past. Our experience suggests that succumbing to such temptation would be a mistake. In fact, now is arguably the best time for corporations to continue investing in their compliance programs to ensure they have in place an effective and comprehensive set of compliance policies, procedures and internal controls.

Four important developments support this view:

First, the Department of Justice and other law enforcement authorities—through various policy pronouncements and speeches over the past 18 months—have made their white-collar decision-making process more transparent. Law enforcement authorities have clarified what they expect to see in a well- maintained corporate compliance regime and how the presence (or absence) of those elements will be weighed when determining critical components of corporate resolutions, such as the type of disposition they will seek, the scale and nature of financial penalties, and other remedial measures, including monitors, that may be imposed. (See our 2018 Year-End Memo) Indeed, just last week, DOJ’s Antitrust Division announced a new policy that empowers prosecutors, when making charging decisions, to give credit to companies for having effective antitrust compliance programs, noting that the Division “is committed to rewarding corporate efforts to invest in and instill a culture of compliance.” Put simply, the “carrot” being offered by law enforcement to encourage compliance and cooperation is bigger than ever, but so is the “stick” used when companies fall short of these governmental expectations.

Second, the record of corporate dispositions over the past two years illustrates the dramatic differences in how the government rewards on the one hand, and punishes on the other, the range of corporate responses to underlying misconduct. For example, in Cognizant Technology Solutions Corp. (Feb. 13, 2019), DOJ declined to take any criminal enforcement action against the company “notwithstanding that the [FCPA] misconduct reached the highest levels of the company,” because the company “voluntarily self-disclosed the conduct within two weeks of when the board learned of it,” and, as a result, DOJ was able to develop criminal cases against individual executives. Similarly, in Walmart Inc. (June 20, 2019), despite an extensive record of wrongdoing and a failure to initially self-report misconduct in a Mexican subsidiary, the Walmart parent was able to secure a non-prosecution agreement. This result was due in large part to the company’s extensive and proactive cooperation, and its adoption of substantial remedial measures, including the hiring of a global chief ethics and compliance officer, with direct reporting to the board’s Audit Committee, a wide array of anti- corruption monitoring measures, enhanced internal controls, expanded training and the termination of relationships with third parties involved in corrupt activities.

Conversely, in Rabobank N.A. (Feb. 7, 2018), DOJ insisted upon a corporate guilty plea for Bank Secrecy Act and AML violations because the bank had implemented a flawed BSA/AML program that precluded appropriate investigation of suspicious transactions, and senior executives actively obstructed an initial OCC examination of the bank, submitted false and misleading information about its BSA/AML program, and demoted or terminated employees who were raising questions about the adequacy of the bank’s compliance program. Similarly, though somewhat less dramatically than in the Rabobank case, in HSBC Holding plc (Jan. 18, 2018), DOJ required a deferred prosecution agreement principally because the bank’s initial efforts to cooperate were deficient in several respects and it did not voluntarily and timely disclose the underlying misconduct. And according to recent media reports, the Federal Trade Commission has approved a $5 billion penalty against Facebook for violating a 2012 consent decree that required, among other things, implementation of a comprehensive consumer privacy compliance program.

Third, DOJ recently issued an extensive memorandum providing guidance regarding its specific expectations concerning corporate compliance programs, cooperation, remediation and restitution. The guidance highlights that prosecutors may “reward” efforts to improve compliance through a more favorable form of resolution or a reduced penalty. And in a speech announcing the guidance, the Assistant Attorney General for DOJ’s Criminal Division emphasized that implementation of an effective compliance program is a precondition to eligibility for a declination under DOJ’s FCPA Corporate Enforcement Policy. (See our prior memo here)

The DOJ guidance runs to 18 pages, and we will not try here to summarize all of what it covers. However, in our view, the central takeaways include:

  • developing a comprehensive inventory of the legal, regulatory and reputational risks entailed in running the company’s various business lines;
  • periodically refreshing and updating this inventory as the company’s businesses, sales/marketing practices, markets, geographic scope and customer base evolve over time;
  • designing a compliance program that is dynamic and carefully tailored to address these evolving risks and that is periodically re- assessed and enhanced as necessary, based on up-to-date metrics and data, to take account of material changes in the company’s legal, regulatory and reputational risk profile;
  • taking steps to ensure that the company’s compliance program is properly “operationalized” at the level of day-to-day business activities where issues often arise, including by making sure that the right “tone at the top” translates into the right “tone on the ground,” and instituting well-considered training and educational programs aimed at the right audiences and using the right tools; and
  • ensuring adequate board and senior management involvement, both in terms of assuring they are appropriately informed about risks entailed in the enterprise and mitigation measures being deployed to address those risks, and also that the board is given adequate opportunities to pressure test those measures through periodic updates and time for follow-up inquiry.

Fourth, a final reason for continued focus on compliance is that, in recent years, both foreign governments and state attorneys general have become far more active than in the past and now seek more aggressively to bring cases, either alongside U.S. authorities or even in situations where federal authorities have chosen not to act. At the same time, as we explained earlier this year, foreign governments are increasingly adopting corporate dispositions modelled on U.S. NPAs and DPAs, and expressly recognize that credit is being given for companies having effective compliance regimes, adopting appropriate remedial measures, and providing substantial, valuable cooperation. Some foreign countries also have enacted affirmative defenses that would exonerate companies able to demonstrate they had a well-designed compliance program at the time of the alleged wrongdoing. Likewise, having put in place a comprehensive and well-designed compliance program will redound to any company’s benefit when responding to a state attorney general investigation.

For all of these reasons, it is wise to invest in designing, implementing, and periodically refreshing and reorienting a robust compliance program. In our experience, effective compliance programs provide a real opportunity to prevent misconduct from arising in the first place or nipping potential legal and compliance issues in the bud before they blossom into a full- blown corporate crisis. And should misconduct occur, an effective compliance program that enables early detection and timely remediation of misconduct will best position a company to achieve a more favorable resolution at the close of any resulting investigation.

Both comments and trackbacks are currently closed.